publicWagsHome
/
amcrest2mqtt
mirror of https://github.com/dchesterton/amcrest2mqtt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4 from weirdtangent/security/update-trivy-config

Browse Source 
chore: enhance Trivy security scanning configuration
pull/106/head
Jeff Culverhouse 2 weeks ago committed by GitHub
parent d66d3aebbc 21925c5688
commit 6d0a0d007d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File

1
.github/workflows/deploy.yaml vendored
Unescape Escape View File

@ -191,6 +191,7 @@ jobs:
format: 'sarif' format: 'sarif'
output: 'trivy-results.sarif' output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH' severity: 'CRITICAL,HIGH'
ignore-unfixed: true
- name: Upload Trivy scan results to GitHub Security tab - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@27fcff4ecb39e96348e7ceddcc2d9ef42308b6fc # v4 uses: github/codeql-action/upload-sarif@27fcff4ecb39e96348e7ceddcc2d9ef42308b6fc # v4

31
.trivyignore
Unescape Escape View File

@ -1,3 +1,34 @@
# =============================================================================
# System Libraries - Waiting for upstream fixes in python:3.14-slim base image
# =============================================================================
# glibc vulnerabilities - system library, waiting for Debian/Python base image updates
CVE-2026-0861 # glibc: Integer overflow in memalign leads to heap corruption
CVE-2026-0915 # glibc: Information disclosure via zero-valued network query
# libtasn1 - system library dependency, not directly used by amcrest2mqtt
CVE-2025-13151 # libtasn1: DoS via stack-based buffer overflow in asn1_expend_octet_string
# =============================================================================
# curl - Pulled in as system dependency but specific vulnerable features not used
# =============================================================================
# amcrest2mqtt uses Python requests library for HTTP, not curl directly
# These CVEs relate to curl features (SSH, OAuth2, LDAP, cert pinning) not used by this app
CVE-2025-15224 # curl: SSH/SCP/SFTP transfers - not used
CVE-2025-15079 # curl: SSH transfers with specific options - not used
CVE-2025-14819 # curl: TLS with reused easy/multi handles - not used
CVE-2025-14524 # curl: OAuth2 bearer tokens - not used
CVE-2025-14017 # curl: Multi-threaded LDAPS transfers - not used
CVE-2025-13034 # curl: CURLOPT_PINNEDPUBLICKEY option - not used
# =============================================================================
# Other system dependencies not used by application
# =============================================================================
# OpenLDAP - not used by amcrest2mqtt (connects to Amcrest cameras and MQTT only)
CVE-2026-22185 # OpenLDAP LMDB: DoS and Info Disclosure via Heap Buffer Underflow
# libexpat is only pulled in via apt-get install git during build. # libexpat is only pulled in via apt-get install git during build.
# It is not used in the final runtime image or by amcrest2mqtt at all. # It is not used in the final runtime image or by amcrest2mqtt at all.
CVE-2025-59375 CVE-2025-59375

Write Preview
Loading…
Cancel
Save